Sensitive Data Exposure

Port swigger does not have any material regarding this so I will be using the one provided by OWASP.

In short, Sensitive Data exposure is anytime sensitive information is not adequately protected. This can stem from Broken authentication, phpinfo pages, as well as improper handling of sensitive data being transmitted.

To really understand this vulnerability we need to look at all aspects of it starting with the threat agents and attack vectors provided by OWASP.

“Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data of the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).”

You can see just how bad this vulnerability can be just by that little snippet. Lets further on and look at the security weaknesses.

“The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm, protocol, and cipher usage are common, particularly for weak password hashing storage techniques. For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest.”

Now let’s look at the impacts of this vulnerability provided to us by OWASP.

“Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards, which often require protection as defined by laws or regulations such as the EU GDPR or local privacy laws.”

Now that we have a good base understanding of this vulnerability and the depth of it, we can look at what makes an application vulnerable to it to understand what types of attacks can be used in correlation with this vulnerability to be able to identify it and trigger it.

“The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws, e.g. EU’s General Data Protection Regulation (GDPR), or regulations, e.g. financial data protection such as PCI Data Security Standard (PCI DSS). For all such data:

  • Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems.
  • Are any old or weak cryptographic algorithms used either by default or in older code?
  • Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?
  • Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing?
  • Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?”

From the list provided above, we can get a sense of some key things to look for while hunting for this vulnerability in the wild. Now that we have an understanding of what to look for, we can use many other types of attacks in order to carry out the execution of this vulnerability and disclose it to our clients. If we look at the other documentation regarding the OWASP top 10, we can see that many of these vulnerabilities correspond to sensitive data exposure.